-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
NetBSD Security Advisory 2014-001
=================================
Topic: Stack buffer overflow in libXfont
Version: NetBSD-current: source prior to Tue 7th, 2014
NetBSD 6.1: affected
NetBSD 6.0 - 6.0.2: affected
NetBSD 5.1 - 5.1.2: affected
NetBSD 5.2: affected
Severity: privilege escalation
Fixed: NetBSD-current: Tue 7th, 2014
NetBSD-6-0 branch: Tue 7th, 2014
NetBSD-6-1 branch: Tue 7th, 2014
NetBSD-6 branch: Tue 7th, 2014
NetBSD-5-2 branch: Tue 7th, 2014
NetBSD-5-1 branch: Tue 7th, 2014
NetBSD-5 branch: Tue 7th, 2014
Teeny versions released later than the fix date will contain the fix.
Please note that NetBSD releases prior to 5.1 are no longer supported.
It is recommended that all users upgrade to a supported release.
Abstract
========
A stack buffer overflow in parsing of BDF font files in libXfont was
found that can easily be used to crash X programs using libXfont,
and likely could be exploited to run code with the privileges of
the X program (most nostably, the X server, commonly running as root).
This vulnerability has been assigned CVE-2013-6462
Technical Details
=================
- From the X.org advisory:
Scanning of the libXfont sources with the cppcheck static analyzer
included a report of:
[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.
Evaluation of this report by X.Org developers concluded that a BDF font
file containing a longer than expected string could overflow the buffer
on the stack. Testing in X servers built with Stack Protector resulted
in an immediate crash when reading a user-provided specially crafted font.
As libXfont is used to read user-specified font files in all X servers
distributed by X.Org, including the Xorg server which is often run with
root privileges or as setuid-root in order to access hardware, this bug
may lead to an unprivileged user acquiring root privileges in some systems.
This bug appears to have been introduced in the initial RCS version 1.1
checked in on 1991/05/10, and is thus believed to be present in every X11
release starting with X11R5 up to the current libXfont 1.4.6.
(Manual inspection shows it is present in the sources from the X11R5
tarballs, but not in those from the X11R4 tarballs.)
Solutions and Workarounds
=========================
Workaround: restrict access to the X server.
Solutions: a fix is included in the following versions:
xorg: xsrc/external/mit/libXfont/dist/src/bitmap/bdfread.c
HEAD 1.3
netbsd-6 1.1.1.2.2.1
netbsd-6-1 1.1.1.2.6.1
netbsd-6-0 1.1.1.2.4.1
netbsd-5 1.1.1.1.2.2
netbsd-5-2 1.1.1.1.2.1.4.1
netbsd-5-1 1.1.1.1.2.1.2.1
xfree: xsrc/xfree/xc/lib/font/bitmap/bdfread.c
HEAD 1.4
netbsd-6 1.2.8.1
netbsd-6-1 1.2.14.1
netbsd-6-0 1.2.10.1
netbsd-5 1.2.2.1
netbsd-5-2 1.2.12.1
netbsd-5-1 1.2.6.1
To obtain fixed binaries, fetch the appropriate xbase.tgz from a daily
build later than the fix dates, i.e.
http://nyftp.netbsd.org/pub/NetBSD-daily////binary/sets/xbase.tgz
with a date 20140108* or larger, and your release version and architecture,
and then extract the libXfont shared library files:
for X.org environments, netbsd-6* and HEAD:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so \
./usr/X11R7/lib/libXfont.so.3 \
./usr/X11R7/lib/libXfont.so.3.0
for X.org environments and netbsd-5*:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R7/lib/libXfont.so \
./usr/X11R7/lib/libXfont.so.2 \
./usr/X11R7/lib/libXfont.so.2.0
and for xfree environments:
cd / && tar xzpf /path/to/xbase.tgz ./usr/X11R6/lib/libXfont.so \
./usr/X11R6/lib/libXfont.so.1 \
./usr/X11R6/lib/libXfont.so.1.5
To build from source, update bdfread.c to the appropriate version and then
"./build.sh -x" from the top of the src tree.
Thanks To
=========
X.Org thanks the authors of the cppcheck tool for making their static
analyzer available as an open source project we can all benefit from.
http://cppcheck.sourceforge.net/
NetBSD would like to thank X.org for looking for and fixing this
vulnerability.
Revision History
================
2014-01-07 Initial release
More Information
================
Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at
http://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2014-001.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.org/ and http://www.NetBSD.org/Security/ .
Copyright 2014, The NetBSD Foundation, Inc. All Rights Reserved.
Redistribution permitted only in full, unmodified form.
$NetBSD: NetBSD-SA2014-001.txt,v 1.2 2014/01/07 21:04:33 tonnerre Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (NetBSD)
iQIcBAEBAgAGBQJSzGwWAAoJEAZJc6xMSnBuGpoP/12ryE0zIMg5/f2F1f7g9Aul
3gHJAo8kY9zseDRKBQ/VE4YfaEYoDjZFeOPJby0d6zanIp8kkVdQyGEVgCBzVduO
zF6Ss9k0aqhttp4KoBgXkfPZitPo2WWcyedJKztrTCMyLhs3ET8ApQRoGoyg+Lcn
jddEmS7gWo7pRJwT2A7Yc3GAPkBoWJ+QnnaoynOVntmSKtbmx2kFSKDgDpst7sIN
u0dRGd+qN7XcUjncd6vrfipnG1ZaJrbAZxrlQOHuSBbF/PNh8SDyveoUhnUgxGiE
FUKeE9duMj2Q1oe8Q6xIR2c1mmj+sbPlHZrFmGNaUh/PJEVo6jz//BzW5ow+xiZS
Zny5eaDKVFeJROtP+JzCe047yC/2g1kVBbudqIwabaeqt85I8kL/XDMk9Rg0PqQB
QqiwQgnP2fSUaTFrZEgIK2lB/OoSZgqaRjrGJuxjru7fJXaHJ+q9aATGFpdfcunC
HDwoZZ97WjD9QGz78coI1dJCrzozeWWCm4DrRzOgCD4vfKCHWQTiylz04/V/McZv
eFzC7hNAU47UyRmRNzwKkL1ejmIEn3ZQRZJ3f80AZ4nKEIFM50alCg2s4SRMzz6s
MFyghD6v3HZ4ungc1Y39WlXa25ZDuVola7lfiDVqE/5KiXqMHz858hFG2HhYamHn
oWVaKjZ2wi7m5Zj1ZHkf
=wseV
-----END PGP SIGNATURE-----